EPSS
Percentile
30.8%
Apache Karaf is vulnerable to privilege escalation. A user with a viewer role and non-admin privilege can call get* in etc/jmx.acl.cfg. Subsequently, calling getMBeansFromURL can lead to SSRF and pollution of the MBean registry.
viewer
get*
etc/jmx.acl.cfg
getMBeansFromURL
karaf.apache.org/security/cve-2020-11980.txt
github.com/apache/karaf/commit/3e4c4bed2d08e81ca5961ab5fcadab23470db1c9
issues.apache.org/jira/browse/KARAF-6763